1. INFORMATION SECURITY
•It is a prime concern for all those organizations which use computer based
information systems as potential of information security breaches is much higher
in these as compared to manual ones.
•It relates to the protection of assets against loss, damage, or disclosure of
information.
•The basic objective of IS is the protection of the interests of those who rely on
information from harm resulting from the failure of availability, confidentiality and
integrity
•IS objective is met when:
IS are available and usable whenever required (availability objective)
Information is disclosed only to those who have the right to know it (confidentiality
objective)
Information is protected against unauthorized modification (integrity objective)
3. 1. Accountability principle: following issues should be
considered:
• Specification of ownership of data and information
• Identification of users who access the system in a
unique way
• Assignment of responsibility for maintenance of data
and information
• Institution of investigative and other remedial
procedures when a breach or an attempted breach of
information security occurs.
4. 2. Awareness principle: following issues should be
considered:
• Levels of details disclosed should be consistent with
information security requirements
• Appropriate knowledge should be available to all parties
concerned
• Information security is not one shot action but is an on-going
process so that it becomes part of the
organizational culture
• Security awareness being an on-going process is
applicable to all employees, whether old or new recruits
5. 3. Multidisciplinary principle: issues to ba tackled in this
context are as:
• Business value of the information being protected
• Technology that is available to meet the information
security
• Impact of organizational and technological changes
• Requirements of legal and industry norms
• Requirements of managing advanced technology for
information security
6. 4. Integration principle: the issues that should be
addressed are:
• Information security policy and administration to be
included as integral part of the overall management of
the organization
• Information development and information security to be
consistent with each other
7. 5. Timeliness principle: The issues that should be taken
care are:
• Instantaneous and irrevocable nature of business
transactions
• Volume of information generated from the
increasingly interconnected and complex information
systems
• Automated tools to support real-time monitoring
• Expediency of reporting security breaches to
appropriate decision making level
8. 6. Reassessment principle: The issues that should be
taken care are:
• Increase in up gradation of information systems
according to business needs
• Changes in information systems and their
infrastructure
• New threats to emerge over the period of time
requiring extra safeguard
• New information security technology that has
emerged or id emerging.
9. 7. Cost-effective principle: The issues that should be
taken care are:
• Value to and dependence of the organization on a
particular information asset
• The amount of security and confidentiality required
• The nature of threats that exists
• Costs and benefits of security
• Optimum level beyond which costs of security
measures to be prohibitive
10. 8. Societal principle: The issues that should be taken
care are:
• Fair presentation of data and information to
legitimate users
• Ethical use and disclosure of information obtained
from others
11. APPROACHES
• Preventive information protection approach
• Restorative information protection approach
• Holistic information protection approach
12. IMPLEMENTATION OF IS
1. DEVELOPMENT OF SECURITY POLICIES
2. PRESCRIBING ROLES AND RESPONSIBILITIES
3. DESIGNING SECURITY MEASURES
4. EDUCATING EMPLOYEES
5. IMPLEMENTATION
6. MONITORING
13. DEVELOPMENT OF SECURITY POLICIES
• A policy is the statement or general understanding which provides
guidelines in decision making to members of an organization in
respect to any course of action
• While designing such policies the core principles of IS should be
kept in mind so that sound policies are developed
• It should cover the following aspects:
• The importance and need of IS in the organization
• Statement for the chief executive of the organization in support if the
objectives on effective IS
• Data security
• Communication security/ Personnel security
• Description of responsibility and accountability for IS
• Physical, logical and environment security
• Security awareness, education and training
14. contd..
• Security breaches, detection and reporting requirements
2. PRESCRIBING ROLES AND RESPONSIBILITIES
• Chief information executive: has overall responsibility of
developing and operating information systems including security
• Information security administrator-has overall responsibility for
information security
• Other professionals- responsible for security measures in their
respective areas
• Data owners- responsible for ensuring that appropriate security ,
consistent with organizational policies , is embedded in the
information systems
• Technology providers-responsible for assisting in implementation
of IS
• Users- responsible for adhering to procedures prescribed for IS
15. 3. REDESIGNING SECURITY MEASURES
• It includes prescribing of standards, procedures, methods, and
practices in respect of IS.
• While designing security measures , security requirements of
individual information systems should be taken into account as
different information systems have different security
requirements.
4. EDUCATING EMPLOYEES
• Technical training
• Behavioral training
5. IMPLEMENTATION
• Managerial control
• Identification and authentication controls
• Logical access controls
• Accountability controls
• Cryptographic controls
16. Contd..
• Computer operations control
• Physical and environmental controls
6. MONITORING
Issues that need to be addressed in achieving effective
monitoring include:
• Appointment of appropriate person, may be information security
administrator, with appropriate authority to work and adequate
tools and resources to control
• Establishment of clear investigating procedures
• Information system audit by external auditors
• Establishment of audit trail information from a large number of
systems that may need to be examined.
18. INTERNET FRAUDS
Hacking
Protection against hacking:
• Checking system security
• Use of firewalls
• Data encryption
Viruses
Protection against Viruses
• Use of antivirus
• Procurement of software from reliable sources
• Testing new applications on stand alone systems
19. Measure against computer
frauds
• Detection of frauds
• Disk imaging and analysis technique:
– Imaging hard disk
– Recovering deleted files
– Analysis of the processed image
• Actions after detection of frauds
20. Prevention of computer frauds
• Making fraud commitment difficult
– Applying strong controls
– Rotating jobs
– Controlling sensitive data
– Controlling laptop computers
– Applying harsh punishment measures
• Improving fraud detection methods
– Use of fraud detection software
– Use of computer security officer
– Monitoring system activities
– Conducting system audit